Secret Microsoft policy limited Hotmail passwords to 16 characters

Users shocked to learn that Hotmail has silently enforced the policy for years.

For years, Microsoft engineers have quietly limited Hotmail passwords to 16 characters, a revelation that has surprised and concerned some users who have long entered passcodes twice that long to access accounts.

One such user is Costin Raiu, the director of the global research and analysis team at antivirus provider Kaspersky Lab. On Friday he reported receiving a new error message when he entered the same 30-character passcode he long used on the Microsoft site. When he typed in the first 16 characters, as the error message directed him to do, he was able to access his account just fine. The change concerned Raiu, because it meant that for years his Hotmail account hadn't been as secure as he was led to believe.

"To pull off this trick with older passwords, Microsoft has two choices," he wrote. Choice one: "Store full plaintext passwords in their [database]; compare the first 16 [characters] only." Choice two: "Calculate the hash only on the first 16; ignore the rest."

Storing millions of passwords as plaintext is among the biggest sins website administrators can commit. But Raiu wasn't pleased with the competing possibility, that "since its inception, Hotmail was silently using only the first 16 chars of the password." That would mean his passcode wasn't nearly as resistant to brute-force attacks as he had thought. "To be honest, I'm not sure which one is worse," he wrote.

Longer is better, but uniqueness is best

A Microsoft representative told Ars that "Sixteen characters has been the limit for years now" and downplayed concerns that the policy unnecessarily opens users to account breaches.

"Please note our research has shown uniqueness is more important than length and (like all major account systems) we see criminals attempt to victimize our customers in various ways," she wrote in an e-mail. "However, while we agree that in general longer is better, we've found the vast majority of attacks are through phishing, malware infected machines, and the reuse of passwords on third-party sites—none of which are helped by very long passwords."

The spokeswomen declined to say why Microsoft passwords are required to be so much shorter than passphrases allowed by competing services. In a blog post from July, however, Eric Doerr, a Microsoft Group program manager for Microsoft accounts, suggested the limitation is the result of engineering decisions intended to make passwords compatible across multiple product lines.

"Password length—we are working on increasing this," he wrote in a comment accompanying the blog post. "Unfortunately, for historical reasons, the password validation logic is decentralized across different products, so it's a bigger change than it should be and takes longer to get to market."

The spokeswoman's response appears to indicate Microsoft engineers don't store passwords in plaintext, although the spokeswoman didn't address that issue despite Ars specifically asking about it. Assuming the passcodes are stored as one-way cryptographic hashes that are generated using the PBKDF2 key derivation function, the SHA512crypt, or another algorithm designed to securely hash passwords, Microsoft is mostly right in downplaying the consequences of the 16-character limitation. That's because despite the growing sophistication of password cracking, brute-force attackers hit an "exponential wall," when trying to cycle through every possible password greater than about eight characters.

Even when attackers use super-charged computing resources from Amazon's cloud-based services, a unique, randomly generated password of more than eight characters takes on average more than 10 days to guess. Each additional character that is used adds an order of magnitude more time to the process.

False sense of security

The biggest problem with the limitation is that Microsoft has silently enforced the policy. That means users like Raiu believed as many as 30 characters were required to access an account when in fact significantly fewer were needed. Depending on the password, this secret policy might have made accounts less secure than calculated. Imagine, for instance, if a user picked "secretpasswordtomaleedisonomega" as the passcode to login to Hotmail. The chances of it falling prey to a cracking attack are significantly more remote than "secretpasswordto," the text string that contains the first 16 characters of the intended password. By concealing the 16-character maximum for all these years, Microsoft may have given users a false sense of security.

In his July post, Microsoft's Doerr said the company is in the process of moving beyond the use of mere passwords to grant users entry to their sensitive account data. Both the Xbox.com domain and its SkyDrive file hosting service, for example, require two-factor authentication to carry out many activities.

"We are learning a lot from this and have more in the works," he wrote. "We see two-factor auth as being an increasingly important piece of our protection suite."

Promoted Comments

I'm kind of surprised at all the commenters saying this is no problem whatsoever. It seems like people didn't bother reading the article.

Sure, a 16-character password may be acceptable *if you know about the limitation*. And obviously, this is not a new limitation.

The problem is that Hotmail has, until very recently, just thrown away any parts of your password which didn't fit, instead of giving you a warning or an error message.

When you pick a password, you try to make it unique and hard to guess. But whether *half* your password could be guessed typically isn't usually a concern. That's why XKCD recommends the now famous "correct horse battery staple". Neither of those four words are particularly hard to guess, but combined, there's a lot of entropy.

But suppose you use it on a site which silently, without informing you, throws away everything past the first 7 characters. Your password is now "correct". Wanna guess at how fast a hacker can guess *that* one? Now, in this case they keep 16 characters, and not 7 (so it'd be "correct horse ", which is harder, but still hardly what I'd consider a good password), but the principle is the same. If you picked a long passphrase on the assumption that "it's ok to use plain english words, as long as the password string is sufficiently long", then you can wave any kind of security goodbye if it turns out that said length is completely disregarded, and only the first handful of characters are actually significant.

Back at my old job, we did a lot of work in Red Hat Enterprise Linux. I don't know if they've change it since, but while you could enter passwords of any length and you could have policies enforcing things like "must have at least one non-alphanumeric character", when logging in, it only cared about the first 8 characters. So you could fulfill the aforementioned rule by making your 9th character a question mark or something, but then type your alphanumeric 8-character password, minus that 9th character, and it would let you log in.

Well - i suppose that's not good for those folks that are anal about having a 900-character password - but it really is not all that bad if they allow for 16-characters.

So to put things in perspective:

- the iPhone thru iOS ver 3.x only allowed for a 4-digit code.- my ATM card still has a 4-digit PIN.- Master Lock's combination locks (for high school lockers) are 3-digits.

It has little to do with the 16-character limit, and everything to do with the way that limit was handled. The user should be told that their password exceeds it, so that they know to change that password. Otherwise you run the risk that the first 16 characters are dictionary words, while the "unique" portion is being typed after the computer has stopped paying attention...leading to a password much less secure than the user thinks.

A 16-character password can be quite secure. A 16-character password that the user thinks is 30-character, however, can be ridiculously unsecure.

Well I use Hotmail occasionally and no other Microsoft service. How am I supposed to know about this 16 character limit? I've had no reason to access 'help' where this information is supposedly hidden.

Some people use phrases, which can easily exceed 16 characters. Say you use a phrase like:my/favorite/pet/is/fluffy It is easy to remember and type (if you can touch type).

Then every year you change the password by changing the name of the pet. But it turns out your password isn't getting changed at all!

All the 'this kind of thing has often occurred in the past', 'company xyz also does this', 'no one ever cared about this before' arguments are really out of date. Read the news. Major companies are getting broken into daily. Whole countries are putting massive resources into breaking passwords.Our standards are getting higher so we are right to no longer put up with this nonsense.

When they complain about how hard it is to change their software to be more than 16 characters, they are complaining about the wrong thing. It is not very difficult to have Hotmail let you know that they have this limit when you try to put in a longer password, so we can at least know what we are dealing with (which they finally decided to do).

124 Reader Comments

The limitation is in stark contrast to those found on services such as Gmail, which reportedly permits passwords as long as 200 characters or even Yahoo Mail, which allows 32-character passwords.

Reminds me of that one ST:TNG episode where Data goes apey and impersonates Cpt. Picard; he then takes over the ship and provides some insanely long password.

... aaaaaaand my nerd quotient just went up a bit.

Naaaaah, but if you somehow KNEW the password....

Trick question! The password Data dictated to the computer is different in 3 places from the password that appears on the screen as the computer accepts it. Now, knowing both would be hardcore./super-nerd

Using a 30 character password is so utterly over kill, it's like swatting a fly by sling-shotting a whole goddamn star at the earth. It is 94^18 overkill.

I doubt anybody would argue with this. But if the first 16 characters of your password are easy to guess and only character 17-30 contain a hard to guess sequence, you are not only duped into a false sense of security. You are actually more vulnerable because of this less than transparent truncation policy.

You can't tell me this wasn't a flaw by design, mirroring planned obsolescence. It's kind of like Microsoft putting out Bitlocker, then creating COFEE so that police can circumvent it. 16 characters helps to limit the size of rainbow tables. A false sense of security? SOLD!

Anyone that thinks a 30 character password is any safer than a 16, or even 12 character password is ignorant at best. No one is going to brute force a proper 12 digit password in our lifetimes, nevermind anything longer. If your account is going to get cracked, it's because MS saved your pw in plaintext, let an admin use "admin" as his password, or something stupid like that.

Using a 30 character password is so utterly over kill, it's like swatting a fly by sling-shotting a whole goddamn star at the earth. It is 94^18 overkill.

Count me among the ignorant then. I like passwords that are all lower case words---much easier for me to type and remember than some 12 digit string of random symbols. The downside is that I need longer passwords to protect against dictionary attacks.

What I hate is that Microsoft, and many others are trying to force these incomprehensible short passwords on me. Read the xkcd comic...

In Microsofts defense though, they are hardly the only one that does this. If I care enough about a site, I will purposely misstype the end of my password just to check to see if they are using the whole thing.

correcT~4batterYLength: 16. Character Set 82, Entropy: 77 bitstwo words, a charter, a number, and last letter of each word capitalized. Not incomprehensible in the least, and avoids several typical tendencies in passwords. Could be mixed up to, for example, capitalize second to last letter. Really, only one letter needs to be capitalized, but it shouldn't be the first letter, as most people do that and crackers assume the first letter is cap.

You can waste hours of your year typing out excessively long passwords if you like, but the rest of us don't have to enable you.

I can confirm that I ran into this problem several months ago, and was displeased by it. I've been using passwords with >=18 random characters for some time now. But Hotmail won't let me...

To anyone who thinks this isn't an issue, think of Moore's Law... Exponential increase in difficulty with password length, over exponential progress in processing power; basically means that with time, there is (presuming a log-linear continuation of Moore's Law) a linear increase in the length of password required to defeat brute-force attacks... Except, password cracking software is getting more intelligent, as more pw db's are cracked, enhancing the knowledge of those designing these tools. So the situation is worse than linear with time.

So I'd rather be safe than sorry. Online banking? >30 random characters please, with strong & slow hashing function. Hotmail/ MSDN? >20 random characters please... Any less than half of that entropy is really asking for trouble these days...

Hotmail... security... huh? Using a web mail account and THAT getting hung up over security seems odd to me, not that Hotmail isn't in the wrong here.

A former financial firm of mine absolutely didn't allow numbers of special characters in password, max length 12. While my electrical utility has a similar limitation, if someone wants to hack into my electric bill online and maliciously pay it, I'm okay with that.

Well I use Hotmail occasionally and no other Microsoft service. How am I supposed to know about this 16 character limit? I've had no reason to access 'help' where this information is supposedly hidden.

Some people use phrases, which can easily exceed 16 characters. Say you use a phrase like:my/favorite/pet/is/fluffy It is easy to remember and type (if you can touch type).

Then every year you change the password by changing the name of the pet. But it turns out your password isn't getting changed at all!

All the 'this kind of thing has often occurred in the past', 'company xyz also does this', 'no one ever cared about this before' arguments are really out of date. Read the news. Major companies are getting broken into daily. Whole countries are putting massive resources into breaking passwords.Our standards are getting higher so we are right to no longer put up with this nonsense.

When they complain about how hard it is to change their software to be more than 16 characters, they are complaining about the wrong thing. It is not very difficult to have Hotmail let you know that they have this limit when you try to put in a longer password, so we can at least know what we are dealing with (which they finally decided to do).

Hotmail... security... huh? Using a web mail account and THAT getting hung up over security seems odd to me, not that Hotmail isn't in the wrong here.

A former financial firm of mine absolutely didn't allow numbers of special characters in password, max length 12. While my electrical utility has a similar limitation, if someone wants to hack into my electric bill online and maliciously pay it, I'm okay with that.

What if they hack in to your whole neighborhood and make you the financially responsible party for all their bills?

One of the ideas I had would be to replace passwords entirely with two-step authentication. Basically using the lock-and-key authorization technique of needing the solid lock (for instance a RSA token) and the virtual key (the pin you define yourself) to log into all systems. I'm not saying RSA is the way to go for the overarching login process, but it's they type of idea that I think would help out immensely with internet security. With that type of security, it wouldn't matter if someone knew your pin if they didn't have your token or if they had your token without the pin. Plus, if you gave someone one of the token numbers, it wouldn't help anyone to log into your account since they would need at least two different numbers to work out the algorithm that your specific token used.

It also would mean everyone's login information stored in one centralized location (definitely not an ideal or secure setup), but it is something that might be a step in the right direction at least.

The limitation is in stark contrast to those found on services such as Gmail, which reportedly permits passwords as long as 200 characters or even Yahoo Mail, which allows 32-character passwords.

Reminds me of that one ST:TNG episode where Data goes apey and impersonates Cpt. Picard; he then takes over the ship and provides some insanely long password.

... aaaaaaand my nerd quotient just went up a bit.

It's:

173467321476C32789777643T732V73117*888732476789764376Lock

The letters are said as their phonetic letters though "Charlie, Tango, Victor".

The two bolded numbers did not appear on the LCARs readout and where the * is - the LCARs showed " ONE" that was not said.

I can imagine that day when the FX guys were doing the LCARS overlay video. 'I don't think we got all the numbers right from Brent's line''Close enough. Waddya think, that someday this episode will be released on home video and somebody is going to obsessively compare the spoken line to the LCARS video?''Hahaha, yeah, I guess you're right, that'd be kinda crazy'

This was actually not a secret. I worked for RIM in Technical Support and this was actually a known issue that we would come across now and again when integrating Hotmail/MSN accounts into BIS. It's documented in this public Knowledge Base article (http://goo.gl/j3r2b).

Regardless, I think that 16 characters is acceptable for the length of a password, when used properly.

There's 10 digits, 26 characters lower case and another 26 uppercase, and maybe leave room for about 15 symbols, give or take and a one character password has 77 possibilities. That would make a person wear out if they were doing it by hand.

A brute attack for with a computer could cut through 77 choices pretty quickly, so let's make it two characters long. Now there's 5929 choices. OK, still two small, three characters makes 456533 choices. That's getting better, but hey, we haven't used the 16 characters up yet.

Let's use all 16, now 77^16 = 1527044182248015256482296477761 possibilities. That's not enough? Really? Is he nuts? You would have to try 3.3 trillion of them per second for the age of the universe to get them all.

correcT~4batterYLength: 16. Character Set 82, Entropy: 77 bitstwo words, a charter, a number, and last letter of each word capitalized. Not incomprehensible in the least, and avoids several typical tendencies in passwords. Could be mixed up to, for example, capitalize second to last letter. Really, only one letter needs to be capitalized, but it shouldn't be the first letter, as most people do that and crackers assume the first letter is cap.

You can waste hours of your year typing out excessively long passwords if you like, but the rest of us don't have to enable you.

I'll disagree with you on two points here:

1. I find "correcthorsebatterystaple" easier to remember and type than "correcT~4batterY". I'd have trouble remembering which letters I capitalized and what symbol I used. Plus, I find typing with all those shifts to be more difficult than typing four lowercase words. Your experience may differ, of course.

2. The entropy of "correcT~4batterY" is much less than 77 bits. You're assuming that this one isn't susceptible to a dictionary attack, but it is. It is two modified dictionary words, with a couple common symbols in between them. I'm not sure what the entropy is, but is definately easier to find than 16 random characters.

We now know the length of the hash for every password in the Hotmail database.

If the hashed password database were ever stolen, the black hats need only figure out what the fill character is for short passwords, and begin a known-password-match attack, which could yield the bulk of (length < 9 character) passwords in three or four days, and yield some passwords within hours.

This is why good security includes passwords of arbitrary length. It makes hash length less predictable, and harder to crack.

My 15 character randomized password will take more time to crack, giving me more time to (a) find out about the breach, and (b) change my password.

If you haven't read Dan's article about how vulnerable passwords really can be, you should. You can also check out Steve Gibson's "Death of Clever" podcast, which goes into ways to strengthen and manage passwords.

I was especially surprised at the new "limit" inasmuch as I'd long ago read Microsoft's *own* article on creating safe passwords - http://www.microsoft.com/security/onlin ... reate.aspx - in which an example password was given as "ComplekspasswordsRsafer2011", which (if I'm counting correctly) is 27 characters long.

When I found out about the 16-character policy (about 3 weeks ago) I was shocked and disappointed. But that's that.I recently signed up for a site which enforces a 12 character policy. But what disturbed me more was the fact that they enforced an alphanumeric policy. I normally use sentence abbreviations for passwords, like "Fünf überdimensional grosse Füchse liefen und tanzten." -> "5ügFL&T." (I use German for the Umlaute), and I couldn't. The site in question has about 4 million customers, each of them paying money, all of them associating personal information with the accounts. That really hit me hard.

No, entropy is something that's calculated. It's not a speculative "time to crack" calculation. You can make relative comparisons, but the XKCD password is easier to crack than the one I speculatively posted. Since both have been posted in a public forum, I don't suggest you use either.

Quote:

You're assuming that this one isn't susceptible to a dictionary attack, but it is.

You don't use every possible permutation of a word in a dictionary attack. A dictionary attack is only a time saver when it has fewer permutations than the combination of letters within. So long as you avoid doing the obvious thing, such as capping only the first letter, your dramatically reduce their effectiveness. As such, by inserting a (from the outside perspective) random caps, a cracker has to go from searching all available words to checking against each letter.

Quote:

It is two modified dictionary words, with a couple common symbols in between them.

Dictionary attack doesn't help when you're using two arbitrary length words with symbols between them. Also, "common symbols" is a meaningless term. There's 94 characters on the keyboard, they're all common. By using them, however, you vastly expand the character space that needs to be calculated, which is what increases entropy. 94^16 is a much larger space than 26^16, in short.

Quote:

[It is] easier to find than 16 random characters.

I never said it was. The person I was responding to didn't like randomly generated passwords. This method is a hybrid that's much shorter, compliant with MS's requirements, and has greater entropy than the much longer password from the comic. If the user can't be bothered to use a quicker, safer system than the one he's using, that's up to him. I'm not his admin. That doesn't make it logical, though.

correcT~4batterYLength: 16. Character Set 82, Entropy: 77 bitstwo words, a charter, a number, and last letter of each word capitalized. Not incomprehensible in the least, and avoids several typical tendencies in passwords. Could be mixed up to, for example, capitalize second to last letter. Really, only one letter needs to be capitalized, but it shouldn't be the first letter, as most people do that and crackers assume the first letter is cap.

You can waste hours of your year typing out excessively long passwords if you like, but the rest of us don't have to enable you.

I'll disagree with you on two points here:

1. I find "correcthorsebatterystaple" easier to remember and type than "correcT~4batterY". I'd have trouble remembering which letters I capitalized and what symbol I used. Plus, I find typing with all those shifts to be more difficult than typing four lowercase words. Your experience may differ, of course.

2. The entropy of "correcT~4batterY" is much less than 77 bits. You're assuming that this one isn't susceptible to a dictionary attack, but it is. It is two modified dictionary words, with a couple common symbols in between them. I'm not sure what the entropy is, but is definately easier to find than 16 random characters.

Any hash is calculated on the entire password and not individual portions (unless you're talking about something like LanManager Auth, which stored the passwords in separate 8 character hashes). So unless there's one HELL of a dictionary, neither password is vulnerable to dictionary attack (well the first one is, but only because you know that someone read the XKCD and is using that as their password).

If they salt the passwords (they any sane system should), then neither is at all vulnerable to dictionary attack.

Question: I use a password manager, but not yet for my online bank account. I keep that one out of my password manager, because I'm worried that someone would crack my password manager file and log in my bank account. Is that a reasonable worry?

It's apparent this wasn't really a 'secret', but even if it was, isn't hiding max password length better than publishing it?

It's good they are working to extend it.

There's no such thing as security through obscurity.

Yes there is. And it can work fine for a while, but when it fails, it fails spectacularly.

But you can also combine obscurity with strong security. I.E.: no one knows how you implemented your security or encryption AND it happens to be extremely strong (making it harder to setup an automated attack... and even they do manage to setup an automated attack, it will still take them years to break your security).

On principal alone, I think limiting a password length (or what characters you can use - which isn't the case here) to anything but a non-reasonable limit (like Google's 200 character limit, something you'd really never reach) is a tad ridiculous, but even so if you have a properly randomized password, even at 16 characters it is computationally impossible to brute-force it. In that way this is a bit of a non-story. I remember signing up for my LIVE account that it said what the limits were on the password so I'm not sure how this is such a huge deal, but limiting a 30-character password to just 16 character is - let's be honest here - not going to limit your security in any way shape or form.

On that note though, as I said in the beginning, on principal alone I always find password restrictions annoying. If I want to use a completely randomized 50-character password with punctuation, spaces, letters and numbers you should damn well let me. Even if it's totally unnecessary.

No, entropy is something that's calculated. It's not a speculative "time to crack" calculation. You can make relative comparisons, but the XKCD password is easier to crack than the one I speculatively posted. Since both have been posted in a public forum, I don't suggest you use either.

I'll try to calculate the entropy of "correcT~4batterY". Let's start with "correctbattery", which is about 22 bits of entropy. I'd say that by introducing the possiblity of capitalizing either the first or last character of each word, you are adding 2 bits of entropy per word. So that gets us to 26 bits of entropy. Adding a number or symbol to the beginning, middle, or end of the word, I'd say that adds about 7.5 bits per character. So that gets us to about 41 bits of entropy. I'll agree that 41 bits of entropy is fine. But it isn't quite as good as four random words from a decent-sized dictionary.

Quote:

You don't use every possible permutation of a word in a dictionary attack. A dictionary attack is only a time saver when it has fewer permutations than the combination of letters within. So long as you avoid doing the obvious thing, such as capping only the first letter, your dramatically reduce their effectiveness. As such, by inserting a (from the outside perspective) random caps, a cracker has to go from searching all available words to checking against each letter.

Except that many modified dictionary attacks will in fact try permutations of a word, such as capitalizing the first character. It's debatable whether such an attack would try to capitalize just the last letter.

One nice thing about using dictionary words as your password is that you know what the best attack is. If I use a 10000 word dictionary, then the number of combinations from four random words is exactly 10000^4. No one is going to find a better attack against my password.

It's apparent this wasn't really a 'secret', but even if it was, isn't hiding max password length better than publishing it?

It's good they are working to extend it.

There's no such thing as security through obscurity.

That old chestnut doesn't stand up to scrutiny. Security is all about obscurity. Keeping things unknown. If the maximum length had actually been unknown all these years, then that's one less piece of information that can be used against you.

Yea Matt, or the people who have apparently used the SAME 30 character password for years... isn't changing passwords routinely more important often than the password itself? This guy isn't taking security into his own hands, and he's upset at Microsoft for doing no less than he does. I'm not saying Microsoft is in the right here, not at least telling the user that it's only allowing 16 digits is dishonest at best. I just don't have a lot of sympathy for someone who has had the same password for a long time.

What if their method of changing their password is to change, say, the last four characters? pretty common method of keeping passwords easy to remember, changes the hash sufficiently to be secure, but for these people, their hash didn't change.

It's apparent this wasn't really a 'secret', but even if it was, isn't hiding max password length better than publishing it?

It's good they are working to extend it.

There's no such thing as security through obscurity.

That old chestnut doesn't stand up to scrutiny. Security is all about obscurity. Keeping things unknown. If the maximum length had actually been unknown all these years, then that's one less piece of information that can be used against you.

Bullshit. Security is not "all about obscurity". Obscurity is the hiding of facts, security is making sure only the right people have access to the facts. Those two aspects are not mutually exclusive. That and the fact that MS limits the password length to 16 characters has never been hidden, i.e. it's never been obscure, people were just too lazy to read fully.

Hell, look at any type of public/private key encryption. Parts of it are completely out in the open, but the good bits are only known to people that have been given permission. Nothing is obscured, but the system works just fine.

Security through obscurity only works as long as the obscured stays obscure. As soon as it's found out, the security aspect evaporates, therefore it was never really secure to begin with. With teh intartubes and instant access to everything, there is...no...such...thing as security through obscurity, even though many seem to think otherwise.